SteamCloud Privilege Escalation

Now that I have code execution on the NGINX pod, I should be able to use it to perform a privilege escalation. I am going to create our own highly privileged service account. First, we need to grab the token.

Next, I need to grab the CA certificate.

With these two things, I should now be able to perform higher privileged operations. I will save the certificate to a file and we export the token to an environmental variable. I reran the certificate command but piped the output to a file using ‘| tee -a ca.cert’. I ran the following to export the token to the token environmental variable. Replace ‘–snip–‘ with the token.

Kubectl

With the token and certificate in my possession, I can use Kubectl to talk to the host. As you can see from the command below we can query the pod. Let’s check to see what actions we can perform. The output below shows that we can get, create and list pods. I can see where this is going.

PreviousSteam Cloud CTF Exploiting Kubernetes NextTHM Flatline CTF

Last updated 1 year ago